PRISM ransomware rules

[Y M <snort () outlook com>]

Another day another ransomware. Preserved a sample of the PRISM ransomware and up to VT; low detection rate. Rules 
below:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Ransomware.PRISM outbound connection 
attempt"; flow:to_server,established; content:"POST"; http_method; content:"/page/index.php"; nocase; http_uri; 
content:"foo="; nocase; http_cookie; content:"Content-Type: application/x-www-form-urlencoded|0D 0A|"; 
fast_pattern:only; http_header; content:"data="; nocase; depth:5; offset:0; http_client_body; metadata:impact_flag red, 
policy balanced-ips drop, policy security-ips drop, ruleset community, service http; 
reference:url,www.virustotal.com/en/file/417cb84f48d20120b92530c489e9c3ee9a9deab53fddc0dc153f1034d3c52c58/analysis/1377785686/;
 classtype:trojan-activity; sid:1000031; rev:1;)
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"BLACKLIST DNS request for known malware domain sectempus.biz - 
Win.Ransomware.PRISM"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|sectempus|03|biz|00|"; fast_pattern:only; 
metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service dns; 
reference:url,www.virustotal.com/en/file/417cb84f48d20120b92530c489e9c3ee9a9deab53fddc0dc153f1034d3c52c58/analysis/1377785686/;
 classtype:trojan-activity; sid:1000032; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Ransomware.PRISM outbound connection 
attempt"; flow:to_server,established; content:"GET"; http_method; content:"/page/index_htm_files2/"; nocase; 
fast_pattern:only; pcre:"/\x2f[a-z_|0-9]{2,}\x2e(css|js|jpg|png)$/U"; http_uri; metadata:impact_flag red, policy 
balanced-ips drop, policy security-ips drop, ruleset community, service http; 
reference:url,www.virustotal.com/en/file/417cb84f48d20120b92530c489e9c3ee9a9deab53fddc0dc153f1034d3c52c58/analysis/1377785686/;
 classtype:trojan-activity; sid:1000033; rev:1;)
The last rule will generate several alerts since the ransomware is noisy and makes a lot of GET requests to fetch 
resources such as .html, .png, .jpg, .js, and .css. A pcre expression is present in an attempt to trigger on all 
resource GET requests instead of a rule for each. 
However, it looks to me that its not the best solution. Any pointers in the right direction are welcome as always.
ThanksYaser

------------------------------------------------------------------------------
Learn the latest--Visual Studio 2012, SharePoint 2013, SQL 2012, more!
Discover the easy way to master current and previous Microsoft technologies
and advance your career. Get an incredible 1,500+ hours of step-by-step
tutorial videos with LearnDevNow. Subscribe today and save!
http://pubads.g.doubleclick.net/gampad/clk?id=58040911&iu=/4140/ostg.clktrk

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!